Skip to content
/ AI-Powered-Vulnerability-Impact-Analyzer Public

Vulnerability impact analyzer that reduces false positives in SCA tools by performing intelligent code analysis. Uses agentic AI with open source models to understand CVEs and verify actual vulnerability impact in your codebase. Keeps your code secure with on-premises execution and human-in-the-loop verification.

License

MIT license
56 stars 7 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

alexdevassy/AI-Powered-Vulnerability-Impact-Analyzer

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
images
images
 
 
.env
.env
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
check_components.py
check_components.py
 
 
cve_analyzer.py
cve_analyzer.py
 
 
requirements.txt
requirements.txt
 
 
review_code.py
review_code.py
 
 

Repository files navigation

AI-Powered Vulnerability Impact Analyzer 🔍

🤖 Where AI meets Security to tell you if you really need to panic about that CVE

🌟 Introduction

Traditional Software Composition Analysis (SCA) tools often generate excessive false positives by solely relying on Software Bill of Materials (SBOM) for vulnerability detection. This tool supercharges the SCA process by performing intelligent impact analysis on reported vulnerabilities.

Using agentic AI powered by the open-source Mistral model, it:

  • 📚 Analyzes CVE descriptions of vulnerable packages to pinpoint the components that cause vulnerability.
  • 👮 Human-in-the-loop model to ensure accuracy and control
  • 🔍 Searches your codebase for these components
  • 🎯 Performs deep code analysis to verify actual vulnerability impact
  • 💡 Reduces false positives by understanding context
  • 🔒 Keeps your code secure with a fully on-premises AI solution—no data leaves your premises.

🧠 How It Works

The tool implements a multi-agent AI system where specialized agents work together:

  1. GithubAdvisoryTool: Fetches and parses CVE information
  2. SecurityAnalystAgent: Uses Mistral to identify vulnerable components from the CVE description
  3. ComponentSearcherTool: Scans codebase for identified components
  4. CodeReviewerAgent: Analyzes code patterns for actual vulnerability impact

🏗️ Architecture

Alt text

📦 Prerequisites

  • Python 3.12.3

  • GitHub API token

  • Ollama installed and running locally with Mistral 7B model

    ollama pull mistral

  • GPU with CUDA installed

🛠️ Installation & Setup

  1. Clone the repository

  2. Create a .env file in the project root:

    GITHUB_TOKEN=your_github_token_here

  3. Ensure Ollama is running with the Mistral model:

  4. Install the required packages:

    pip install -r requirements.txt

🚀 Usage

Run the tool by providing a GitHub Advisory ID (GHSA ID) and the path to your codebase:

python3 cve_analyzer.py <GHSA ID> <path_to_codebase>

🎥 Demo

The demo showcases vulnerabilities (GHSA ID) from SBOM / Github Dependabot alerts are analyzed by the tool and the impact is studied. The code repo used in the demo for analysis and SBOM generation is Dolos AI CTF Challenge.

Alt text

⚠️ Limitations

  • Currently tested on Python codebases
  • Vector DB is not used for now but will be used in the future to store and retrieve codebase and CVE information
  • Only CVE description is used for now, but it will be extended to use more sources of information in the future such as CVE exploit POCs

🤝 Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

About

Vulnerability impact analyzer that reduces false positives in SCA tools by performing intelligent code analysis. Uses agentic AI with open source models to understand CVEs and verify actual vulnerability impact in your codebase. Keeps your code secure with on-premises execution and human-in-the-loop verification.

Resources

Readme

License

MIT license
Activity

Stars

56 stars

Watchers

1 watching

Forks

7 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages